b'Memorandum from the Office of the Inspector General\n\n\n\nSeptember 20, 2007\n\nJohn E. Long, Jr., WT 7B-K\n\nREQUEST FOR FINAL ACTION \xe2\x80\x93 AUDIT 2007-039T-02 \xe2\x80\x93 BACKUP VERIFICATION\n\n\n\nAttached is the subject final report for your review and final action. Your written\ncomments, which addressed your management decision and actions planned or taken,\nhave been included in the report. Please notify us when final action is complete.\n\nIf you have any questions, please contact Phyllis R. Bryan, Project Manager, at\n(865) 632-4043 Jill M. Matthews, Director, Information Technology Audits, at\n(865) 632-4730. We appreciate the courtesy and cooperation received from your\nstaff during the audit.\n\n\n\n\nBen R. Wagner\nDeputy Inspector General\nET 3C-K\n\nPRB:SDB\nAttachment\ncc (Attachment):\n      Steven A. Anderson, SP 5A-C\n      William R. Brandenburg, Jr., MP 2B-C\n      Frank A. Foster, OCP 2C-NST\n      Tom D. Kilgore, WT 7B-K\n      Janice W. McAllister, EB 7A-C\n      Richard W. Moore, ET 4C-K\n      Emily J. Reynolds, OCP 1L-NST\n      E. Wayne Robertson, SP 5A-C\n      OIG File No. 2007-039T-02\n\x0c   BACKUP VERIFICATION\nOF TVA PRODUCTION SYSTEMS\n\n      Audit 2007-039T-02\n      September 20, 2007\n\x0cSynopsis\n   \xc2\x8b     In summary, we found:\n           \xe2\x80\x93   All but 20 production distributed servers, all production databases, and the mainframe\n               were being backed up at the time of our testing. Information Services (IS) provided\n               explanations and/or actions taken for the 20 servers not being backed up.\n           \xe2\x80\x93   Thirteen obsolete or inactive backup \xe2\x80\x9cpolicies.\xe2\x80\x9d1\n           \xe2\x80\x93   Nine servers with undocumented exclude lists.\n   \xc2\x8b     Based on other observations noted during the audit, we believe an overall\n         process design review could facilitate a better integrated and more efficient\n         backup and restore process.\n\n\n\n\n   1\n       Policies are rules within the software used to backup servers.\n\n                                                                                                   2\n\x0cBackground\n\n   \xc2\x8b   Backup and Disaster Recovery (DR) requirements are driven by Service\n       Level Agreements (SLA) negotiated between IS and Application Owners. If\n       specific DR requirements are not defined, a standard schedule of a weekly\n       full backup and daily incremental backups is performed on the server.\n   \xc2\x8b   Over the past year, TVA has experienced two backup failures (one of which\n       resulted in loss of employee data and the other resulted in loss of [Redacted])\n       and a \xe2\x80\x9cnear\xe2\x80\x9d miss in November 2006 (backup personnel were reconciling\n       client list and found one client was missing; however, no data loss occurred).\n   \xc2\x8b   In February 2007, TVA implemented a verification process to check weekly\n       for additions and removals of servers from the backup system. The new\n       matching process would not identify servers missing prior to February.\n   \xc2\x8b   As a resultlt off the\n       A                 th PRIS b\n                                 backup\n                                    k ffailure\n                                           il   iin M\n                                                    March\n                                                        h 2007\n                                                          2007, the\n                                                                th OIG was requested\n                                                                                 t d\n       to perform a full backup verification of all TVA production systems.\n\n\n\n\n                                                                                     3\n\x0cObjective, Scope, and Methodology\n\n   Objective\n   \xc2\x8b   Verified the necessary backups were being performed on servers and related databases.\n   Scope and Methodology\n   \xc2\x8b   Interviewed IS personnel.\n   \xc2\x8b   Obtained server, application, and database information from IS personnel,\n       HP Service Desk, and the DBA monitor Web page.\n   \xc2\x8b   Obtained backup reports from IS personnel and the NetBackup Web page.\n   \xc2\x8b   Verified servers identified with the role of production in HP Service Desk either (1) were\n       backed up or (2) were known exclusions from being backed up.\n   \xc2\x8b   Verified Oracle, SQL Server, and DB2 database backups to disk were also being backed\n       up to tape.\n\n\n\n\n                                                                                                    4\n\x0cObjective, Scope, and Methodology\n\n   Scope and Methodology (cont\xe2\x80\x99d)\n   \xc2\x8b   Verified the frequency of backups supported the DR level assigned either to\n       the server or to the applications/databases hosted on the server.\n   \xc2\x8b   Reviewed the NetBackup policies for full backups.\n   \xc2\x8b   Reviewed the reasonableness of the exclude file listing for each server.\n   \xc2\x8b   Fieldwork was conducted between May and August 2007.\n   \xc2\x8b   This audit was performed in accordance with generally accepted government auditing\n       standards.\n\n\n\n\n                                                                                            5\n\x0cFindings\n   Distributed Servers\n   \xc2\x8b   Of the 1,102 production servers, we determined 1,082 servers were being backed up.\n   \xc2\x8b   For the 20 servers which were not being backed up, IS provided the following\n       explanations:\n        \xe2\x80\x93   Three servers had been retired but still had the role of \xe2\x80\x9cProduction\xe2\x80\x9d in HP Service Desk.\n        \xe2\x80\x93   Three servers contained no data, thus requiring no backup.\n        \xe2\x80\x93   Three non-IS supported servers which were functioning as workload balancing servers did not\n            contain any data. According to the Application Owner, no backups were required for these\n            systems.\n        \xe2\x80\x93   One server was experiencing performance problems which prevented it from being backed up on\n            a regular schedule. IS discontinued backups when the data from an older system was being\n            converted to a storage location for review by the Business Owner. We confirmed the server\n            where this data is stored was being backed up.\n        \xe2\x80\x93   Ten production servers (one of these is used for program development but still classified as\n            \xe2\x80\x9cProduction\xe2\x80\x9d in HPSD) were identified as having no defined backups. During the course of our\n            audit, IS created work orders to initiate backups for these servers. IS subsequently decided to\n            reassess the backup needs of these servers.\n\n\n\n\n                                                                                                              6\n\x0cFindings (cont\xe2\x80\x99d)\n\n   Mainframe\n   \xc2\x8b   We determined the mainframe was receiving scheduled backups.\n   Databases\n   \xc2\x8b   We determined the 379 Oracle, SQL, and DB2 databases were receiving scheduled\n       backups to tape.\n   Backup Policies\n   \xc2\x8b   Policies are rules that the backup software follows when backing up servers.\n       A \xe2\x80\x9cfull\xe2\x80\x9d policy is used to perform a complete backup of the server. We identified 201 full\n       policies across 20 primary backup servers. Of those policies, three were inactive and\n       ten were obsolete. IS plans to remove the obsolete policies.\n   Exclude Lists\n   \xc2\x8b   Exclude lists define files and/or directories that will not be backed up on a server. Our\n       understanding is groups other than the Backup Group (i.e., System Administrators) have\n       the ability to make changes to the exclude list. For nine servers, IS did not have\n       supporting documentation for the exclusions.\n\n\n\n                                                                                                7\n\x0cOther Observations\n   \xc2\x8b   We believe management should consider an overall process design review\n       to develop a better integrated and efficient backup and restore process.\n       The review should address issues previously found in OIG audits, Summary\n       of Aggregated Gap design control deficiencies (such as backup verification,\n       controls implemented as a result of the backup failures), and the following\n       observations:\n         \xe2\x80\x93   There appears to be a lack of integration/communication between the groups with\n             key responsibilities in the backup process.\n         \xe2\x80\x93   Multiple Service Levels (4) and DR Classes (4) may be contributing to a more\n             complex environment than necessary.\n              \xc2\x8b   Customers have been able to choose a wide variety of combinations between service\n                  levels and DR classes (16 total combinations).\n              \xc2\x8b   IS has not yet synchronized applications and data based on service levels and DR\n                  classes (i.e., many database instances have data for applications that have two or more\n                  service levels).\n         \xe2\x80\x93   Server roles were not always accurate in HPSD \xe2\x80\x93 three servers classified as\n             production were actually retired.\n\n\n\n\n                                                                                                            8\n\x0cRecommendations\n   We recommend the Chief Administrative Officer and Executive Vice\n   President, Administrative Services:\n    1. Ensure the exclude lists are reviewed for appropriateness. Additionally, a\n       process should be developed to ensure all requests for (a) addition to and/or\n       (b) deletion of files to be backed up are properly documented, reviewed, and\n       approved.\n    2. Consider initiating a business process review to develop a better integrated\n       and more efficient backup and restore process.\n\n\n\n\n                                                                                       9\n\x0cRecommendations (cont\xe2\x80\x99d)\n\n   TVA Management\xe2\x80\x99s Comments \xe2\x80\x93 The Chief Administrative Officer and\n   Executive Vice President, Administrative Services, agreed with our facts,\n   conclusions, and recommendations and provided proposed actions to implement\n   our recommendations. TVA management plans to (1) initiate periodic reviews of\n   the backup schedules and exclude lists; (2) document procedures to maintain\n   the exclude lists; and (3) initiate a process redesign to improve the backup\n   process (see Appendix for entire response).\n   Auditor\xe2\x80\x99s Response \xe2\x80\x93 We concur with management\xe2\x80\x99s proposed actions.\n\n\n\n\n                                                                              10\n\x0cAPPENDIX\nPage 1 of 4\n\x0c                              Draft Audit 2007-039T-02 - Personnel Records Imaging System - Backup Verification\n\n    Office of the Inspector General                                                                                                         Audit Report\n\n                       Findings                              Recommended Action                             Risk                       Response\n                                                                                                        Management\n                                                                                                        Information\nDistributed Servers\n                                                     1. Ensure the exclude lists are reviewed      RMF 2007-292                 1. Concur. A periodic\n                                                     for appropriateness. Additionally, a                                       review of each server\xe2\x80\x99s\n\xe2\x80\xa2    Of the 1,102 production servers, we                                                           Potential Impact: Moderate\n                                                     process should be developed to ensure                                      backup schedule and\n     determined 1,083 were being backed up.                                                        Likelihood: Moderate\n                                                     all requests for (a) addition to and/or (b)                                exclude lists will be\n                                                     deletion of files to be backed up are         Risk Rating: Moderate\n                                                                                                                                performed beginning with\n\xe2\x80\xa2    For the 20 servers which were not being         properly documented, reviewed and                                          the first quarter of FY08.\n     backed up, IS provided the following            approved.                                                                  In addition, the process for\n     explanation:\n                                                                                                                                the maintenance of the\n         \xe2\x80\xa2   Three servers had been retired but      2. Consider initiating a business process                                  exclude list will be\n             still had the role of \xe2\x80\x9cProduction\xe2\x80\x9d in   review to develop a better integrated and                                  documented and updates\n             HP Service Desk.                        more efficient backup and restore                                          restricted.\n         \xe2\x80\xa2   Three servers contained no data,        process.\n             thus requiring no backup.\n                                                                                                                                2. Concur. The initial\n         \xe2\x80\xa2   Three non-IS supported servers                                                                                     process redesign will be\n             which were functioning as workload                                                                                 completed by 12/15/07.\n             balancing servers did not contain\n             any data. According to the\n             Application Owner, no backups were\n             required for these systems.\n         \xe2\x80\xa2   One server was experiencing\n             performance problems which\n             prevented it from being backed up\n             on a regular schedule. IS\n             discontinued backups when the data\n             from an older system was being\n             converted to a storage location for\n             review by the Business Owner. We\n             confirmed the server where this data\n             is stored was being backed up.\n         \xe2\x80\xa2   Ten production servers (one of these\n             is used for program development but\n             still classified as \xe2\x80\x9cProduction\xe2\x80\x9d in\n             HPSD) were identified as having no\n                                                                                                                                                               APPENDIX\n                                                                                                                                                               Page 2 of 4\n\n\n\n\n             defined backups for these servers.\n\x0c                              Draft Audit 2007-039T-02 - Personnel Records Imaging System - Backup Verification\n\n    Office of the Inspector General                                                                                 Audit Report\n\n                       Findings                          Recommended Action                     Risk              Response\n                                                                                            Management\n                                                                                            Information\n              IS subsequently decided to reassess\n              the backup needs for these servers.\nMainframe\n\xe2\x80\xa2  We determined that the mainframe was\n   receiving scheduled backups.\n\nDatabases\n\xe2\x80\xa2  We determined the 379 Oracle, SQL and\n   DB2 databases were receiving scheduled\n   backups to tape.\n\nBackup Policies\n\xe2\x80\xa2  Policies are rules that the backup software\n   follows when backing up servers. A \xe2\x80\x9cfull\xe2\x80\x9d\n   policy is used to perform a complete backup\n   of the server. We identified 201 full policies\n   across 20 primary backup servers. Of those\n   policies, three were inactive and ten were\n   obsolete. IS plans to remove the obsolete\n   policies.\n\nExclude Lists\n\xe2\x80\xa2  Exclude lists define files and/or directories\n   that will not be backed up on a server. Our\n   understanding is groups other than the\n   Backup Group (i.e. System Administrators)\n   have the ability to make changes to the\n   exclude list. For nine servers, IS did not\n   have supporting documentation for the\n   exclusions.\n\nOther Observations\n\xe2\x80\xa2  We believe management should consider an\n                                                                                                                                   APPENDIX\n                                                                                                                                   Page 3 of 4\n\n\n\n\n   overall process design review to develop a\n\x0c                          Draft Audit 2007-039T-02 - Personnel Records Imaging System - Backup Verification\n\nOffice of the Inspector General                                                                                 Audit Report\n\n                   Findings                          Recommended Action                     Risk              Response\n                                                                                        Management\n                                                                                        Information\n better integrated and efficient backup and\n restore process. The review should address\n issues previously found in OIG audits,\n Summary of Aggregated Gap design control\n deficiencies (such as backup verification,\n controls implemented as a result of the\n backup failures), and the following\n observations:\n o There appears to be a lack of\n     integration/communication between\n     groups with key responsibilities in the\n     backup process.\n o Multiple Service Levels (4) and DR\n     Classes (4) may be contributing to a\n     more complex environment than\n     necessary.\n          \xc2\x83 Customer have been able to\n              choose a wide variety of\n              combinations between service\n              levels and DR classes (16 total\n              combinations)\n          \xc2\x83 IS has not yet synchronized\n              applications and data based on\n              service levels and DR classes\n              (i.e., many database instances\n              have data for applications that\n              have two or more service levels).\n o Server roles were not always accurate in\n     HPSD - three servers classified as\n     production were actually retired.\n                                                                                                                               APPENDIX\n                                                                                                                               Page 4 of 4\n\x0c'